HPE Storage Users Group
https://3parug.com/

3.3.1 MU3 Upgrade - Error: ldap-ssl-cacert must be defined.
https://3parug.com/viewtopic.php?f=18&t=3283
Page 1 of 1

Author:  msarro [ Tue Sep 24, 2019 9:34 am ]
Post subject:  3.3.1 MU3 Upgrade - Error: ldap-ssl-cacert must be defined.

Hey everyone. I am working through writing docs to get MU3 installed across our fleet of 3par 8440s. Everything seems to be fine, except when I run the system readiness check I get the following test as failed:

Quote:
Error: ldap-ssl-cacert must be defined.
Import a LDAP certificate via 'importcert ldap -ca <cert>'.


At the moment we're using a simple ldap binding to a federated AD global catalog (port 3269). We aren't using SSL certificates, and it's working just fine.

Can this failure be safely ignored, or is it a new hard requirement? My big concern is that our organization uses a massive p7b cert chain for its CA cert and a lot of devices have a very hard time leveraging it - 3par included. So a simple binding tends to work best for us.

Per microsoft, global catalogs don't necessarily support SSL by default:
Quote:
Note that SSL is not available by default on your domain controllers. You need to deploy a PKI and issue certificate for your domain controller.

https://social.technet.microsoft.com/Fo ... inserverDS

So that would seem to indicate that this shouldn't be a hard requirement, correct?

Edit: I've been able to add in our CA root certificate (ignored the rest of the bundle), but doing so automatically switches from simple binding to SASL/DIGEST-MD5. As soon as we do that, we can no longer authenticate. Switching back to simple on the CLI seems to keep the CA cert, but also allows us to authenticate.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/